Infrastructure Protection Gateway

Transcription

1 Infrastructure Protection Gateway Our Nation s critical infrastructure is essential to sustaining our security, the economy, and the American way of life. The Department of Homeland Security (DHS), National Protection and Programs Directorate, Office of Infrastructure Protection (IP) leads the coordinated national effort to protect critical infrastructure from all hazards by managing risk and enhancing resilience through collaboration with the critical infrastructure community. Information systems play a vital role in allowing Federal, State, local, tribal, territorial, and private sector partners to identify, analyze, and manage risk to protect the Nation. The IP Gateway serves as the single interface through which DHS mission partners can access a large range of integrated IP tools, capabilities, and information to conduct comprehensive critical infrastructure vulnerability assessments, risk analysis, event planning, and incident tracking. Source: U.S. Department of Homeland Security Features The IP Gateway provides various data collection, analysis, and response tools in one integrated system, streamlining access to IP s tools and datasets by leveraging a single user registration, management, and authentication process. Highlights of the IP Gateway include: A selection of cyber and physical security survey and vulnerability assessment capabilities; Integrated data visualization and mapping capabilities to support complex data analysis; An array of tools to support critical infrastructure planning and analysis, including a robust data search capability; and A planning and management capability that utilizes consequence, vulnerability, and threat scenario information to support situational awareness, response efforts, and recovery prioritization. IP Gateway Administration and Access The IP Gateway is available to Federal, State, local, tribal, and territorial governments to enhance collaboration and promote cross-government information sharing. System administrators have been established to serve as the primary point of contact for the IP Gateway within their State, locality, tribe, or territory and will be responsible for vetting and granting access to requesting homeland security professionals within their region. To obtain access to the IP Gateway, all users must have a valid need-to-know, complete Protected Critical Infrastructure Information (PCII) Authorized User training and all required IP Gateway system training, and submit an application. PCII Program The Protected Critical Infrastructure Information (PCII) Program is an information-protection program that enhances voluntary information sharing between infrastructure owners and operators and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data. Contact Us Learn how the IP Gateway can support your organization s homeland security efforts by contacting the IP Gateway Help Desk at IPGateway@hq.dhs.gov or February 2015

2 Protected Critical Infrastructure Information Program The Protected Critical Infrastructure Information (PCII) program protects infrastructure information voluntarily shared with DHS to be used for homeland security purposes. The PCII program was created by Congress in the Critical Infrastructure Information Act of 2002, ensuring that PCII in the government s hands is protected from disclosure Protections PCII cannot: Be disclosed through a Freedom of Information Act (FOIA) request or through a request under a similar State, local, tribal, or territorial disclosure law; Be disclosed in civil litigation; or Be used for regulatory purposes. PCII may only be used by a Federal, State, local, tribal, or territorial government employee or contractor who: Has taken PCII training; Has homeland security duties; and Has a valid need to know that particular information. Source: U.S. Department of Homeland Security PCII is specially marked and must be safeguarded, both physically and electronically, under specific procedures to avoid any improper disclosures. All of these protections ensure that submitted information is protected and is used only by authorized homeland security professionals and used only for homeland security purposes. Uses PCII is used by DHS and other government homeland security professionals to identify vulnerabilities, mitigation strategies, and protective measures. DHS works closely with critical infrastructure asset owners and operators to provide a wide array of services and products to help them protect the Nation s critical infrastructure, and PCII is a key component in these efforts. PCII also allows DHS to collect and protect sensitive security critical infrastructure information, cyber-attack, risk, and vulnerability information to protect the Nation s infrastructure. PCII protections allow access to a vast amount of critical information necessary to detect, deter, and defend against threats to the Nation. Contact Information Learn how the IP Gateway can support your organization s homeland security efforts by contacting the IP Gateway Help Desk at IPGateway@hq.dhs.gov or July 2014

3 Infrastructure Protection Gateway Features Surveys and Assessments These non-regulatory surveys and assessments enable users to gather critical infrastructure data, including security, vulnerability, threat, and consequence information, that provide a complete context to meet users mission-specific needs. This feature ranges from high-level surveys to comprehensive in-depth assessments to evaluate a facility s security and resilience postures. Facility Dashboards The dashboards provide owners and operators with snapshots of their facility s security and resilience posture and compare those results with those of similar facilities across the Nation. The information in the dashboards, derived from completed surveys and assessments, allows owners and operators to develop scenarios to explore potential future improvement options. Events and Incidents Tracker This powerful analysis tool uses the protection and resilience data from completed surveys and assessments to enhance steady state, special event, and domestic incident support capabilities. It enables users to make decisions regarding the impact of various emergencies and to prioritize their planning, protection, response, and recovery efforts. Map View The IP Gateway s map function enables users to drill down and view numerous data layers to specific States, counties, or cities. These layers include static layers, such as facilities-by-sector, daytime population, or street-view pictures, and dynamic layers, such as current wildfire or weather elements. These geographically accurate presentations provide users with an in-depth look at an area s operational situation. Digital Library The Digital Library is a single interface through which users can access a collection of critical infrastructure resources, policy documents, and security and resilience information. This information helps users enhance critical infrastructure protection programs, prepare for and respond to incidents, and research and analyze infrastructure security and resilience data specific to their mission needs. Contact Us Learn how the IP Gateway can support your organization s homeland security efforts by contacting the IP Gateway Help Desk at IPGateway@hq.dhs.gov or * All images courtesy of U.S. Department of Homeland Security February 2015

4 Infrastructure Protection Gateway Rapid Survey Tool The Rapid Survey Tool (RST) is a non-regulatory data collection capability that examines the most critical aspects of a facility s security and resilience posture with efficient, baseline questions. It is a shorter survey that allows assessors to gather the general status of a facility before deciding whether an in-depth survey is required. The Web-based Rapid Survey Tool, available through the Infrastructure Protection Gateway (IP Gateway), captures a facility s physical and operational security and resilience data. The data are then analyzed to determine the facility s relative security and resilience in comparison to the national average for similar facilities. The resulting analysis is used to develop a Rapid Survey Information Center that equips owners and operators with knowledge to detect and prevent physical, cyber, and natural threats and respond to, recover from, and remain resilient against all hazards. Capabilities Source: U.S. Department of Homeland Security The RST enables assessors to: Collect pertinent cyber and physical security and resilience information on a facility; Conduct on-site security and resilience surveys in less than one (1) hour; Capture data, regardless of Internet access, for later upload to the IP Gateway; Ensure consistent data collection to support comparative analysis across facilities and assets; Use the tool s intuitive design to conduct surveys with minimal training; Collect data to support situational awareness and incident response activities; Determine whether an in-depth survey or assessment is required; and Pre-populate future surveys and assessments with data collected using the RST. Rapid Survey Information Center Source: U.S. Department of Homeland Security The Information Center, a brief overview of the survey results, is generated and returned to the facility owner and operator as a benefit of participating in the survey and providing their information. Key features of the Rapid Survey Information Center include: Comparison data of the facility s responses against facilities in a similar sector or subsector; Reports on the site s dependency information, increasing understanding of reliance on other assets and facilities; Resource guide to aid the owner and operator in enhancing their security and resilience status; and Regional maps showing natural hazards that may impact the facility s ability to carry out its intended mission. Contact Us Learn how the RST can support your organization s homeland security efforts by contacting the IP Gateway Help Desk at IPGateway@hq.dhs.gov or July 2014

5 est sint Enhanced Critical Infrastructure Protection Security Surveys The Enhanced Critical Infrastructure Protection (ECIP) initiative is a voluntary program which includes two parts: outreach and security surveys. Outreach establishes or enhances the Department of Homeland Security s (DHS s) relationship with critical infrastructure owners and operators and informs them of the importance of their facilities and the need for vigilance. Security surveys are conducted by the Office of Infrastructure Protection (IP) Protective Security Advisors (PSAs) to assess the overall security and resilience of the Nation s most critical infrastructure sites. Program Description The primary goals of ECIP initiative and security surveys are to: Forge strong relationships among the owners and operators of the Nation s most critical facilities, DHS, and Federal, State, local, tribal, and territorial partners. These relationships serve to increase communications and information sharing, enhance sector security, provide facility owners and operators access to Federal tools and resources. Inform and educate facility owners and operators about resilience and specific vulnerabilities and threats associated with the site or facility. To accomplish these goals, PSAs leverage existing relationships and provide coordination for IP programs and resources to enhance protection and resilience efforts. These efforts include outreach, training and education, and recommended protective measures. PSAs conduct voluntary ECIP security surveys in coordination with facility owners and operators, State Homeland Security Advisors, local law enforcement, sectorspecific agencies (SSAs) that oversee the 16 critical infrastructure sectors, and other critical infrastructure partners such as industry organizations. ECIP security surveys accomplish the following: Identify facilities physical security, security forces, security management, protective measures, information sharing, dependencies, and capabilities related to preparedness, mitigation, response, resilience and recovery Create facility Protective and Resilience Measures Indices (PMI/RMI) that can be compared with similar facilities Inform planning and resource allocation for implementing protective and resiliency measures Track the implementation of new protective and resilience measures DHS.gov The ECIP security surveys collect, process, and analyze facility assessment data in near real-time. Data collected during the ECIP security surveys is weighted and scored, enabling IP to conduct sector-by-sector and cross-sector vulnerability comparisons. These comparisons identify security gaps and trends and enable IP to track progress toward improving critical infrastructure security through its programs, outreach efforts, and training.

6 The resulting survey information is provided to owners and operators and may also be shared with the SSAs and other Federal, State, local, and private sector representatives through interactive Dashboards. In addition to providing a facility and sector security and resilience overview, the Dashboards highlight areas of potential concern and feature options to view the impact of potential enhancements to protective and resilience measures. ECIP metrics provide DHS with information on the protective and resilience measures in place at facilities and enable detailed analyses of site and sector vulnerabilities. This approach serves as a mechanism for IP to identify and document critical infrastructure overall security, to provide information for protective and resiliency measures planning and resources allocation, to facilitate Government information sharing, and to enhance its ability to analyze data and produce improved metrics. Contact Information For more information, please contact PDCDOperations@hq.dhs.gov. DHS.gov December 2013

7 Protective Measures Index The Homeland Security Act of was the governing document that officially formed the U.S. Department of Homeland Security (DHS) and mandated (among other things) that the department carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States. In response to this mandate, in 2009, the DHS and its Protective Security Advisors began assessing nationally critical infrastructure assets using a targeted questionnaire, the Infrastructure Survey Tool (IST). The data collected was used to produce assetspecific protective measure information conveyed through the Protective Measures Index (PMI). The main objective of the PMI is to provide a relative measure of the ability of a critical infrastructure asset to resist disruptive events an indication of how well protected the asset is. The PMI has been formulated to capture the fundamental aspects of protection for critical infrastructure and facilitates the comparison of protection postures across critical infrastructure assets. Aggregate information can be used to assess prevalent sector and subsector security gaps, identify potential protective measures and enhancements to reduce potential vulnerabilities, and assist in preparing sector risk estimates. The PMI methodology generates reproducible results that can support decisionmaking concerning critical infrastructure risk management. The PMI complements other indices that have been developed the Resilience Measurement Index (RMI) and Consequences Measurement Index (CMI) allowing a holistic view of most components of critical infrastructure risk. The PMI aggregates five operational dimensions of protection as shown in Figure 1: Physical Security, Security Management, Security Force, Information Sharing, and Security Activity Background. 2 The PMI calculation uses decisionanalytic techniques with a basis and multiattribute utility theory. The PMI ranges from 0 (low protection) to 100 (high protection) and is based on data collected via the IST that have been weighted by subject matter experts to indicate the relative importance of each variable to the asset s overall protection posture. Asset-specific protection information is displayed FIGURE 1. Level 1 Components of the PMI. on a Web-based tool called the IST PMI Dashboard. The IST PMI Dashboard provides valuable information to owners and operators regarding their facility s protection relative to similar assets. 3 The Dashboard can be used to create scenarios and assess relative improvement of overall facility protection when specific protective measures and/or 1 DHS, The Homeland Security Act of 2002, accessed April 4, Petit, F., G.W. Bassett, W.A. Buehring, M.J. Collins, D.C. Dickinson, R.A. Haffenden, A.A. Huttenga, M.S. Klett, J.A. Phillips, S.N. Veselka, K.E. Wallace, R.G. Whitfield, and J.P. Peerenboom, 2013, Protective Measures Index and Vulnerability Index: Indicators of Critical Infrastructure Protection and Vulnerability, Argonne National Laboratory, p The data displayed for the facility is static, reflective of the relative resilience of the facility at the time of the survey. If you have further questions about the PMI, please contact DHS at PSCDOperations@hq.dhs.gov.

8 procedures are added or changed. Policies, procedures, or operational methods are enhancements with which the facility may increase protection. Figure 2 is a screenshot of the IST PMI Dashboard Overview Screen. The Overview Screen displays overall PMI as well as the five main components: Physical Security, Security Management, Security Force, Information Sharing, and Security Activity Background. The sets of three dots allow the user to visually compare their facility protection stature to the low, average, and high protection postures of comparable facilities. The Dashboard s interactive Facility Scenario function allows the facility owner or operator to select possible protection enhancements and immediately see the resulting modified PMI (the light blue bars). FIGURE 2. IST PMI Dashboard Overview Screen (Illustrative Asset). The PMI should be used as part of an overall risk management program and can support decisionmaking about protection, business continuity, and emergency management of critical infrastructure. It provides important information about the protective measures implemented at a given facility and how that facility compares to similar facilities. Other factors such as location, specific vulnerabilities, and a cost-benefit analysis, should also be utilized to ensure a complete picture of a facility s protection level or posture. The asset-specific protection, used in conjunction with vulnerability information, and facility consequence and resilience information can provide decision makers with a comprehensive risk picture with which to make management and policy decisions ensuring the continued protection and resilience of our Nation s critical infrastructure.

9 Resilience Measurement Index In 2009, the U.S. Department of Homeland Security (DHS) and its Protective Security Advisors began surveying critical infrastructure using the Infrastructure Survey Tool (IST.) The data collected was initially used to produce asset specific protective measure through the Protective Measures Index (PMI). As national priorities for critical infrastructure expanded beyond protection to include focus on resilience 1, it became necessary to collect and display asset specific resilience-related information as well, resulting in the creation of the Resilience Measurement Index (RMI). Resilience, in the context of critical infrastructure, can be defined as the ability of an entity (e.g., asset, organization, community, region) to anticipate, resist, absorb, respond to, adapt to, and recover from a disturbance. 2 Enhancing the resilience of critical infrastructure requires its owners and operators to understand the ability of that infrastructure to withstand specific threats, minimize or mitigate potential impacts, and to return to normal operations if degradation occurs (threat to consequence.) The RMI has been formulated using decision-analytic Figure 1. -Level 1 and Level 2 Information Collected on Facility techniques with a basis in multi-attribute Resilience utility theory, to capture the fundamental aspects of resilience for critical infrastructure. The RMI is an aggregate measure of four operational dimensions that encompass the elements of that definition of resilience: Preparedness, Mitigation Measures, Response Capability, and Recovery Mechanisms (see Figure 1). The RMI, which ranges from 0 (low resilience) to 100 (high resilience), allows comparison of the resilience of different critical infrastructure assets and provides a basis for prioritizing the implementation of operational and physical enhancements to increase asset resilience. Asset specific resilience information is displayed on an interactive, Web-based tool called the IST RMI Dashboard. The IST RMI Dashboard provides valuable information to owners and operators regarding 1 Most recently see PPD-21, The Presidential Directive on Critical Infrastructure Protection and Resilience. 2 Carlson, L., G. Basset, W. Buehring, M. Collins, S. Folga, B. Haffenden, F. Petit, J. Phillips, D. Verner, and R. Whitfield, Resilience Theory and Applications, Argonne National Laboratory, Decision and Information Sciences Division, ANL/DIS-12-1, Argonne, Ill, USA, If you have further questions about the RMI, please contact DHS at PSCDOperations@hq.dhs.gov.

10 their facility s resilience relative to similar assets 3. The Dashboard can be used to create scenarios and assess the relative improvement of overall facility resilience when specific resilience measures and/or procedures are added or changed. Policies, procedures, or operational methods are enhancements with which the facility may increase resilience. Figure 2.-RMI Dashboard Overview Screen (Illustrative Asset) Figure 2 is a screenshot of the IST RMI Dashboard Overview Screen used to display the results of a resilience analysis for a particular asset. Existing facility resilience values are indicated with dark blue bars. The Overview Screen displays overall RMI as well as the four main components of the RMI (Preparedness, Mitigation Measures, Response Capabilities, and Recovery Mechanisms). The sets of three dots allow the user to visually compare their facility resilience stature to the low, average and high resilience postures of comparable facilities (e.g., sector, subsector, segment). The Dashboard s interactive Facility Scenario function allows the facility owner or operator to select possible resilience enhancements and immediately see the resulting modified RMI (the light blue bars). The RMI methodology supports decisionmaking related to emergency management, disaster response, and maintenance of business continuity. It is most valuable as part of an overall risk management program. Other factors such as location, specific vulnerabilities, and cost-benefit analyses can also be utilized to ensure a complete and comprehensive resilience picture for the asset. 4 The assets specific resilience information, used in conjunction with information on the vulnerabilities and consequences can provide decisionmakers with a holistic risk picture in which to make management and policy decisions ensuring the continued protection and resilience of our nation s critical infrastructure. 3 The data displayed for the facility is static, reflective of the relative resilience of the facility at the time of the survey 4 Facility vulnerability information can be ascertained via the PMI, and consequences via the consequence information collected in the survey